<p>Well, someone could theoretically include injectible data via <code>data:</code>, so something like <code>data:text/html base64,b21naGF4</code> becomes the world's weakest payload.  Restricting things so that the first few characters must be http doesn't always work as older browsers may still convert <code>https://;javascript:alert('omghax')</code> into a working exploit.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href='https://github.com/opentechinstitute/commotion-apps/issues/12#issuecomment-24105549'>view it on GitHub</a>.<img src='https://github.com/notifications/beacon/HSS0tS4nfORw_XnPQF8f0aN3i5bXfhozh_5bDAr3Nkjt8P-rPFYD0S_1YZ1oaUjQ.gif' height='1' width='1'></p>